Google blocked, exceptions ignored

[schorhr]

Just a quick question: What does the MBR have to do with Avast ignoring the exception list and blocking just google? Couldn't it be some setting/configuration problem after all?

I never used Roguscanner, what info do you need?
I also tried to reset the dns & hosts.

Log

Code: [Select]

RogueKiller V8.0.4 [09/19/2012] durch Tigzy
mail: tigzyRK<at>gmail<dot>com
Kommentare: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Betriebssystem: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Gestartet in : Normal Modus
Benutzer : Muk [Admin Rechte]
Funktion : Repariert Hosts-Datei -- Datum : 09/19/2012 20:42:13

¤¤¤ Böswillige Prozesse : 2 ¤¤¤

¤¤¤ Registry-Einträge : 0 ¤¤¤

¤¤¤ Treiber : [GELADEN] ¤¤¤

¤¤¤ Infektion :  ¤¤¤

¤¤¤ Hosts-Datei: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

ÿþ1

¤¤¤ Zurückgesetzt Hosts-Datei: ¤¤¤
127.0.0.1 localhost

Abgeschlossen : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
Terminated 2 x c:\windows\notepad.exe ...

MBR

Code: [Select]

¤¤¤ MBR überprüfen: ¤¤¤

+++++ PhysicalDrive0: ST9160314AS +++++
--- User ---
[MBR] 57c0b583ab24ac6e6898d4de5df0f1d8
[BSP] f321c63d5e6d9e38e7d5808515224b65 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 73790 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 151123455 | Size: 73782 Mo
2 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 302230845 | Size: 5004 Mo
3 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 312480315 | Size: 47 Mo
User = LL1 ... OK!
User = LL2 ... OK!The hidden partition is the XP restore partition of the netbook.

[essexboy]

I need to check out areas where malware resides to rule that out as a cause

Could you remove the exceptions from Avast and then try all browsers and let me know which ones alert

[schorhr]

I need to check out areas where malware resides to rule that out as a cause

Could you remove the exceptions from Avast and then try all browsers and let me know which ones alert

I removed all exceptions, even though it seems to have no effect anyway, and the alerts occur with all browsers I have installed (IE, FF, O...) as mentioned before.

The alert is still the Network-shield (not webshield, so I suppose that explains why it ignores the exceptions), and is anything from http*://www.google.*, sometimes a URL, sometimes the favico...

[essexboy]

Network shield would tend to suggest it is something on your computer as opposed to an external element ... 

All I have to do now is determine where

Firstly I would like to try and see if it is something within the browser.  We can check that out by using safe mode in firefox as that is the quickest and easiest way

Details here http://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode


Then try a google search .. do you still get the alert

[schorhr]

Thanks, I tried in FF safe mode, but the problem remains.
As it is in all browsers (an none of them uses a proxy setting atm) I think it's not something from within the browser.

I just tried to ping google using cmd, time out, no alert. Does time out even when all shields are temporary disabled.
Pinging mail.google.com works though.
google.com resolves to 87.125.87.103...

A quick search (via encrypted google :-) ) brought up http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Simda.F

Yikes. Backdoor:Win32/Simda?

In HKCU\Software\Microsoft\Windows\Currentversion\RunOnce I can't find anything though.
Two exe  in %appdata%, neither avast nor malwarebytes find anything in them. They don't show up in the regestry, and not in any other  or registry or  autostart location (msconfig...). The only one I can't make any sense of is svtrev.exe but could be renamed.

A little confusing is that there's no evidence of a changed host file either.

Changing DNS to 8.8.8.8 for a moment brings the same result, so no router issue.
Odd, nothing changes even if using the roguekiller hosts/dns fix option. Just localhost/127.0.0.1 in the host-file anyway. It's location still is %SystemRoot%\System32\drivers\etc, i checked HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

Odd.

[essexboy]

This is definitely a weird one as I am seeing none of the usual signs that I would associate with this problem

Now although the MBR indicated clean are you game to run another programme to check it ?

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.

[schorhr]

Thank you for all your patience, that did it.
win32.rloader.a
Google now resolves to 209.85.148.101.
I wonder how I got that on my system 


I opened the report after the reboot, should I have saved the one before the reboot?

Code: [Select]

17:14:17.0562 3740  TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
17:14:18.0046 3740  ============================================================
17:14:18.0046 3740  Current date / time: 2012/09/21 17:14:18.0046
17:14:18.0046 3740  SystemInfo:
17:14:18.0046 3740 
17:14:18.0046 3740  OS Version: 5.1.2600 ServicePack: 3.0
17:14:18.0046 3740  Product type: Workstation
17:14:18.0046 3740  ComputerName: MISTINGNET3
17:14:18.0046 3740  UserName: Muk
17:14:18.0046 3740  Windows directory: C:\WINDOWS
17:14:18.0046 3740  System windows directory: C:\WINDOWS
17:14:18.0046 3740  Processor architecture: Intel x86
17:14:18.0046 3740  Number of processors: 2
17:14:18.0046 3740  Page size: 0x1000
17:14:18.0046 3740  Boot type: Normal boot
17:14:18.0046 3740  ============================================================
17:14:19.0234 3740  BG loaded
17:14:19.0843 3740  Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
17:14:19.0875 3740  ============================================================
17:14:19.0875 3740  \Device\Harddisk0\DR0:
17:14:19.0875 3740  MBR partitions:
17:14:19.0875 3740  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x901F5C0
17:14:19.0875 3740  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x901F5FF, BlocksNum 0x901B73E
17:14:19.0875 3740  ============================================================
17:14:20.0109 3740  C: <-> \Device\Harddisk0\DR0\Partition1
17:14:20.0671 3740  D: <-> \Device\Harddisk0\DR0\Partition2
17:14:20.0750 3740  ============================================================
17:14:20.0750 3740  Initialize success
17:14:20.0750 3740  ============================================================


[essexboy]

If you could attach the original log.. It will be at C:\TDSSKiller date time

[schorhr]

Oh, there it is. It's magic! ;-)

[essexboy]

OK the acpi file was infected

Re-run TDSSKiller with the same parameters and when you get to the following select delete :

\Device\Harddisk0\DR0 ( TDSS File System )

Avast will alert as the files are moved